'Canary' Chrome chirps when it smells malware

Google on Thursday expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome's current "Canary" build -- the label for very-early versions of the browser, earlier than even Chrome's Dev channel -- will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel -- the roughest-edged of the three distributed to users -- and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Canary's blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser's settings.

"Content.exe is malicious, and Chrome has blocked it," the message in Canary reads. The sole visible option is to click the "Dismiss" button, which makes the warning vanish. The only additional option, and that only after another click, is to "Learn more," which leads to yet another warning.

The Canary very-early build of Chrome displays this warning if it suspects a to-be-downloaded file is dangerous.

In Canary, there is no way for the user to contradict the malware blocking.

That's different than in the current Stable build of Chrome, which relies on a message that says, "This file is malicious. Are you sure you want to continue?" and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily ".exe," which in Windows denotes an executable file, and ".msi," an installation package for Windows applications. Canary's expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software -- it cited screen savers and video plug-ins in a Thursday blog -- that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Browser hijacking is old-school malware -- it's been around for years and was one of the first ways attackers funded their work -- associated with rogue toolbars and "adware," a malware label that's fallen out of favor.

In the Thursday blog, Linus Upson, a Google vice president of engineering, claimed that browser hijacking remained one of the most popular complaints by Chrome users on its support forums. Previously, Google also added a "Reset browser settings" option in the browser's settings panel so users can restore Chrome to its original state after a hijack.

Google's malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple's Safari and Mozilla's Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome's case, the malware warning stems not only from the Safe Browsing "blacklist" of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

CAMP is a reputational technology, similar to Microsoft's SmartScreen Application Reputation (App Rep), which was first added to Internet Explorer in version 9 (IE9) in March 2011. Both CAMP and App Rep use a combination of whitelists, blacklists and algorithms to create a ranking of the probability that a download is legitimate software. Files that don't meet a set legitimacy bar trigger a warning.

Since Google started using CAMP, NSS Labs said in a report issued last week ( download PDF), Chrome's ability to spot and block malware has increased dramatically: From a 70% blocking rate in 2012 to 83% in 2013.

Users can try out the Canary build of Chrome by downloading it from Google's website.

Copyright 2015 IDG Communications. ABN 14 001 592 650. All rights reserved.
Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.